OnPage: HIPAA Compliance Security 2015

HIPAA Compliance, Data Breaches Are Top 2015 Stories

As 2015 comes to an end, it can be beneficial to review the top issues that covered entities and their business associates encountered on a daily basis.

Understanding HIPAA compliance will be critical for 2016, especially as the Office for Civil Rights (OCR) begins to conduct the next round of HIPAA audits. Moreover, learning from the healthcare data breaches of the past year will help organizations create stronger and more comprehensive data security plans.

HealthITSecurity.com reviewed some of the top stories from 2015, highlighting key issues and what organizations should potentially look for in the new year.

HIPAA compliance, violations

Several OCR HIPAA settlements were finalized this past year, ranging in fines from thousands of dollars to millions of dollars.

OCR received a complaint on November 16, 2012, alleging that SEMC workforce members had used an internet-based document sharing application to store documents containing ePHI of nearly 500 individuals. This was done without having analyzed the risks associated with such a practice, OCR stated.

On the heftier end of fines, Triple-S Management Corporation (TRIPLE-S) agreed to pay $3.5 million to settle HIPAA violations from 2012. Numerous data breaches taking place from 2010 to 2015 helped lead to the decision. OCR added that the case underlined the importance of not only adhering to the Security Rule, but also risk analysis and “compliance with the requirements of the Privacy Rule, including those addressing business associate agreements and the minimum necessary use of protected health information.”

Another key issue was understanding HIPAA compliance as it related to cloud technology. Cloud service providers are now considered business associates under the HIPAA Omnibus Rule, which means that they must adhere to the same rules as other BAs.

“For example, a data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis,” the rule states. “Thus, document storage companies maintaining protected health information on behalf of covered entities are considered business associates, regardless of whether they actually view the information they hold.”

Anthem data breach affects 78.8 million individuals

The largest healthcare data breach of the year was the incident that took place at Anthem, Inc. Approximately 78.8 million individuals had their information exposed in a cyber attack.

Patient names, dates of birth, medical IDs or Social Security numbers, street addresses, and email addresses. Employment information, some of which included income data, might also have been exposed.

A multi-pronged approach that includes a proper incident response plan is critical to help prevent these incidents, Patrick Wilson, Contra Costa County Health Services CISO and Assistant Director of EHR said in an interview with HealthITSecurity.com.

Following the Anthem data breach, Wilson explained that one of the best things that a facility can do is to de-value the data from an infiltration perspective. This includes encrypting all databases and ensuring that there is a segmentation of the data.

However, there were potential data security issues to watch out for after the Anthem data breach as well. Consumers were warned against possible phishing scams, trying to get individuals to click on links in the email, or respond to the email with personal information.

“This outreach is from scam artists who are trying to trick consumers into sharing personal data,” Anthem said. “There is no indication that the scam email campaigns are being conducted by those that committed the cyber attack, or that the information accessed in the attack is being used by the scammers.”